diff options
| author | Jeroen van Meeuwen (Ergo Project) <jeroen.van.meeuwen@ergo-project.org> | 2017-09-21 19:28:15 +0200 |
|---|---|---|
| committer | Jeroen van Meeuwen (Ergo Project) <jeroen.van.meeuwen@ergo-project.org> | 2017-09-21 19:28:15 +0200 |
| commit | 10a87792e56496e94cd11bcb4d44ee9561f07552 (patch) | |
| tree | 716e5ccdd3fb6c9e29ffe66b141cf92964ea8574 | |
| parent | 6a777617406defe19df7a85b86427f1f3e0c3384 (diff) | |
| download | httpd-10a87792e56496e94cd11bcb4d44ee9561f07552.tar.gz httpd-10a87792e56496e94cd11bcb4d44ee9561f07552.tar.xz httpd-10a87792e56496e94cd11bcb4d44ee9561f07552.zip | |
Address CVE-2017-9798 by applying upstream patch
Reference RHBZ #1490344
| -rw-r--r-- | httpd-2.4.27-CVE-2017-9798.patch | 15 | ||||
| -rw-r--r-- | httpd.spec | 11 |
2 files changed, 23 insertions, 3 deletions
diff --git a/httpd-2.4.27-CVE-2017-9798.patch b/httpd-2.4.27-CVE-2017-9798.patch new file mode 100644 index 0000000..be590f2 --- /dev/null +++ b/httpd-2.4.27-CVE-2017-9798.patch @@ -0,0 +1,15 @@ +--- httpd/httpd/branches/2.4.x/server/core.c 2017/08/16 16:50:29 1805223 ++++ httpd/httpd/branches/2.4.x/server/core.c 2017/09/08 13:13:11 1807754 +@@ -2266,6 +2266,12 @@ + /* method has not been registered yet, but resource restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); + } @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.27 -Release: 9%{?dist} +Release: 10%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -74,7 +74,8 @@ Patch56: httpd-2.4.4-mod_unique_id.patch Patch57: httpd-2.4.10-sigint.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch58: httpd-2.4.25-r1738878.patch -Patch59: httpd-2.4.27-r1808230.patch +Patch59: httpd-2.4.27-CVE-2017-9798.patch +Patch60: httpd-2.4.27-r1808230.patch # Security fixes License: ASL 2.0 @@ -222,7 +223,8 @@ interface for storing and accessing per-user session data. %patch56 -p1 -b .uniqueid %patch57 -p1 -b .sigint %patch58 -p1 -b .r1738878 -%patch59 -p1 -b .r1808230 +%patch59 -p4 -b .cve-2017-9798 +%patch60 -p1 -b .r1808230 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -687,6 +689,9 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Sep 21 2017 Jeroen van Meeuwen <kanarip@fedoraproject.org> - 2.4.27-10 +- Address CVE-2017-9798 by applying patch from upstream (#1490344) + * Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9 - use sscg defaults; append CA cert to generated cert - document httpd-init.service in httpd-init.service(8) |